Topic: outgoing mails stopped working since yesterday

[veeresh]

Hi,

I have sme 7 server working fine for the last three months. since yesterday outgoing mails are not going out.  they leave the server after a restart.

here is my qpsmtpd current log

click, disconnecting
@40000000458a11d31a3bd3f4 3149 cleaning up after 30746
@40000000458a11d31a3e9ae4 3149 cleaning up after 30750
@40000000458a11f60615079c 30744 dispatching HELO 22.168.226.200.in-addr.arpa.ig.
@40000000458a11f60618dffc 30744 503 but you already said HELO ...
@40000000458a11fe183b4cec 30744 dispatching MAIL FROM:<aj@thungasoft.com>
@40000000458a11fe1841194c 30744 full from_parameter: FROM:<aj@thungasoft.com>
@40000000458a11fe1843a1bc 30744 from email address : [<aj@thungasoft.com>]
@40000000458a11fe184ffdcc 30744 running plugin (mail): bcc
@40000000458a11fe18546e84 30744 trying to get config for bcc_ignore_mailfrom
@40000000458a11fe1858fa94 30744 Plugin bcc, hook mail returned DECLINED,
@40000000458a11fe185ba62c 30744 running plugin (mail): require_resolvable_fromho
@40000000458a11fe185fccac 30744 trying to get config for invalid_resolvable_from
@40000000458a11fe186913ac 30744 trying to get config for require_resolvable_from
@40000000458a11fe186ed454 30744 Plugin require_resolvable_fromhost, hook mail re
@40000000458a11fe187154f4 30744 running plugin (mail): check_badmailfrom
@40000000458a11fe18757f5c 30744 trying to get config for badmailfrom
@40000000458a11fe187aedfc 30744 Plugin check_badmailfrom, hook mail returned DEC
@40000000458a11fe187e0ec4 30744 getting mail from <aj@thungasoft.com>
@40000000458a11fe1880c22c 30744 250 <aj@thunga.com>, sender OK - how excitin
@40000000458a12051a12108c 3149 cleaning up after 30744


and here is qmail current log

@40000000458a159a1ed5b704 new msg 2442424
@40000000458a159a1ed5c2bc info msg 2442424: bytes 251 from <root@thungasoft.com> qp 31236 uid 0
@40000000458a159a1f2eb05c starting delivery 23201: msg 2442424 to remote c_t@vsnl.com
@40000000458a159a1f2edb54 status: local 0/10 remote 1/20
@40000000458a15e01d2c1614 delivery 23201: success: 203.200.235.143_accepted_message./Remote_host_said:_250_2.5.0_Ok./
@40000000458a15e01d2e38f4 status: local 0/10 remote 0/20
@40000000458a15e01d2f5a04 end msg 2442424
@40000000458a15ea1e027ccc starting delivery 23202: msg 2453391 to remote aguilar@netspoke.net
@40000000458a15ea1e02d2bc status: local 0/10 remote 1/20
@40000000458a15ea1e0b7d7c starting delivery 23203: msg 2453379 to remote amphitheatric000@china-lutong.com
@40000000458a15ea1e0ba874 status: local 0/10 remote 2/20
@40000000458a15ea1e320c94 delivery 23203: deferral: connect()_called_with_address_0.0.0.0/Sorry,_I_wasn't_able_to_establish_a
@40000000458a15ea1e323f5c status: local 0/10 remote 1/20
@40000000458a15fa1eeb4e5c starting delivery 23204: msg 2446909 to remote belch@optonline.net
@40000000458a15fa1eeb8124 status: local 0/10 remote 2/20
@40000000458a15fb06f00234 delivery 23204: deferral: Connected_to_167.206.4.79_but_greeting_failed./Remote_host_said:_452_try_
@40000000458a15fb06f034fc status: local 0/10 remote 1/20
@40000000458a15fe32eefa84 delivery 23202: deferral: Sorry,_I_couldn't_find_any_host_by_that_name._(#4.1.2)/
@40000000458a15fe32ef2964 status: local 0/10 remote 0/20
@40000000458a162033d445bc starting delivery 23205: msg 2446812 to remote auqdi@csc.com
@40000000458a162033d47884 status: local 0/10 remote 1/20
@40000000458a16242d69ffdc delivery 23205: deferral: 216.82.248.44_does_not_like_recipient./Remote_host_said:_421_Service_Temp
@40000000458a16242d6a368c status: local 0/10 remote 0/20
@40000000458a16772e3425dc starting delivery 23206: msg 2445010 to remote m3jca@micronpc.com
@40000000458a16772e3458a4 status: local 0/10 remote 1/20
@40000000458a16b40296aa94 delivery 23206: deferral: Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/
@40000000458a16b40296dd5c status: local 0/10 remote 0/20



any pointers as to what look for


thanks in advance

veeresh

[mmccarn]

Your qmail log seems to be showing 1 mail getting through, 2 being denied by the target host, and one with no valid target host...

I'd start here:

netstat -an | grep \:25\ | less

Then go to http://www.dnsstuff.com and check out all the IPs your server is talking to (or trying to talk to).

I few months ago I had a server on one network hacked, which got me listed on lots of RBLs, and for a couple weeks my outgoing email connections got soaked up by various tarpits - If I restarted my mail server I'd send out 20 - 40 messages, then all available outbound smtp connections would be eaten up by tarpits and nothing else would go out until I rebooted.

[mmccarn]

[accidental double-post deleted]

[byte]

Moving this topic to the SME Server 7.x forum, it is more appropriate there. Thanks!

[kmwanga]

iam running sme sever 7.0 mail server and ms outlook as email client. when i configure email accounts in the client and try to do a test, it complains about the e-mail address as though it were not valid.

further, if i send mail, it appears to go but is not delivered.

please help!

[byte]

iam running sme sever 7.0 mail server and ms outlook as email client. when i configure email accounts in the client and try to do a test, it complains about the e-mail address as though it were not valid.

I've seen this before but it only happens to the test email i think can't remember reason that is. Do a search it will be here.

[byte]

Here it is

http://forums.contribs.org/index.php?topic=32839.0

[veeresh]

thanks mmccarn,

seems to be what you mentioned.

several questions

how did you know you were hacked.

what did you do after you you found the server was hacked and how did you solve this issue.

thanks again

veeresh

[CharlieBrady]

...
@40000000458a15ea1e02d2bc status: local 0/10 remote 1/20
@40000000458a15ea1e0b7d7c starting delivery 23203: msg 2453379 to remote amphitheatric000@china-lutong.com
@40000000458a15ea1e0ba874 status: local 0/10 remote 2/20
@40000000458a15ea1e320c94 delivery 23203: deferral: connect()_called_with_address_0.0.0.0/Sorry,_I_wasn't_able_to_establish_a
@40000000458a15ea1e323f5c status: local 0/10 remote 1/20
...

For the record, this indicates that you were trying to send a message (probably a bounce message) to a domain which has an invalid MX address (0.0.0.0). On an unmodified qmail system, this causes mail to loop back through your own server.

[mmccarn]

how did you know you were hacked.

what did you do after you you found the server was hacked and how did you solve this issue.

In my case I traced the outgoing emails to an Apple computer with a weak root password that had 65,000 messages in /var/spool/postfix even though it wasn't supposed to be a mail server.  We scrubbed and re-loaded the system from scratch and changed the IP address used by our SME box for outbound email.

In SME 7 I'd start by looking at 'Summarize status of mail queue' in 'Mail log file analysis' in server-manager, and by looking up my own mail server's IP at http://www.dnsstuff.com.

I find "qmHandle" very useful for gathering info about the mail queue from the command line; you can get a SME rpm from http://www.saco-support.de/index.php?_m=downloads&_a=view&parentcategoryid=3&pcid=0&nav=0  but be careful about deleting messages with qmHandle - under certain circumstances deleting messages will cause qmail to shutdown and need to be restarted.

[CharlieBrady]

I find "qmHandle" very useful for gathering info about the mail queue from the command line; you can get a SME rpm from http://www.saco-support.de/index.php?_m=downloads&_a=view&parentcategoryid=3&pcid=0&nav=0  but be careful about deleting messages with qmHandle - under certain circumstances deleting messages will cause qmail to shutdown and need to be restarted.

Don't ever mess with qmail's queue without stopping qmail first.

[veeresh]

thanks mmccarn and charlie,

Two of the client machines were infected with worms which caused the problem. We cleaned these two machines and also reinstalled the sme7 server.  I created the users,ibays, etc using the LAT tool.

I have some new issues,
1. the BccUser is not working.  The qpsmtpd config is as  follows

qpsmtpd=service
    Bcc=enabled
    BccUser=backup@abc.com
    DNSBL=enabled
    LogLevel=8
    MaxScannerSize=25000000
    RBLList=sbl-xbl.spamhaus.org,whois.rfc-ignorant.org,dnsbl.njabl.org,relays.ordb.org
    RHSBL=enabled
    RequireResolvableFromHost=no
    SBLList=dsn.rfc-ignorant.org
    access=public
    status=enabled

the qmail config is

qmail=service
    DoubleBounceTo=devnull
    MaxMessageSize=15000000
    status=enabled


2. Some users are complaining they are not receiving incoming mails.

any pointers about how to deal with the above issues.

are details of incoming and outgoing mails logged only into var/log/qpsmtpd/current ?

Thanks in advance

Veeresh